CN113411345A - Method and device for secure session - Google Patents

Method and device for secure session Download PDF

Info

Publication number
CN113411345A
CN113411345A CN202110730273.1A CN202110730273A CN113411345A CN 113411345 A CN113411345 A CN 113411345A CN 202110730273 A CN202110730273 A CN 202110730273A CN 113411345 A CN113411345 A CN 113411345A
Authority
CN
China
Prior art keywords
server
key
public
client
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110730273.1A
Other languages
Chinese (zh)
Other versions
CN113411345B (en
Inventor
石康发
韩旭
熊伟然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202110730273.1A priority Critical patent/CN113411345B/en
Publication of CN113411345A publication Critical patent/CN113411345A/en
Application granted granted Critical
Publication of CN113411345B publication Critical patent/CN113411345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key

Abstract

The embodiment of the application provides a method for secure session, which comprises the following steps: the server receives a request for obtaining a public key from a client; a server sends a public key to a client, wherein the public key is from a public and private key pair generated by the server; the server receives an encryption key from the client, wherein the encryption key is obtained by encrypting a symmetric key based on a public key, and the symmetric key is generated based on the session between the client and the server and is used for encrypting and decrypting one or more messages in the session; and the server decrypts the encryption key based on a private key in the public and private key pair to obtain a symmetric key. Therefore, before the session is carried out between the client and the server, the symmetric key for encrypting and decrypting the service data in the session can be negotiated based on the pair of public and private keys, so that the method is fast, convenient and safe, and is beneficial to improving the data transmission efficiency and improving the user experience.

Description

Method and device for secure session
Technical Field
The present application relates to the field of information security, and more particularly, to a method and apparatus for secure sessions.
Background
Along with the continuous development of internet finance, finance on-line services develop rapidly, and the on-line financial services bring convenience to the work and life of people and also put higher requirements on the safety and efficiency of data transmission. Therefore, in the field of financial services, how to ensure the safe and efficient transmission of data is a problem to be solved urgently.
In the prior art, data transmission can be generally realized by adopting a hybrid encryption method consisting of a symmetric encryption algorithm and an asymmetric encryption algorithm, although the safe transmission of the data is ensured to a certain extent, the existing method has a complex process, and each data transmission needs to be encrypted and decrypted based on a symmetric key and an asymmetric key, so that the method is not suitable for application scenes needing to quickly and conveniently transmit the data. For example, in the field of financial services, a faster and more lightweight secure session method is required for data transmission of e-commerce platforms.
Disclosure of Invention
The embodiment of the application provides a method for secure session, so that the efficiency of data transmission is improved on the premise of ensuring the security of the session.
In a first aspect, the present application provides a method for securing a session, the method including: the server receives a request for obtaining a public key from a client; the server sends the public key to the client, wherein the public key is from a public and private key pair generated by the server; the server receives an encryption key from the client, wherein the encryption key is obtained by encrypting a symmetric key based on the public key, and the symmetric key is generated based on a session between the client and the server and is used for encrypting and decrypting one or more messages in the session; and the server decrypts the encryption key based on a private key in the public and private key pair to obtain the symmetric key.
Based on the above scheme, before a session is performed between a client and a server, a symmetric key for encrypting and decrypting service data in the session may be negotiated based on a pair of public and private keys. And, the symmetric key can be generated based on the session, and can be used for encryption and decryption of the service data in the session, without negotiating a key between the two parties before each service data transmission. Therefore, in the data transmission process, the data transmission device is fast, portable and safe, and is beneficial to improving the data transmission efficiency and improving the user experience.
Optionally, the method further comprises: the server receives an encrypted service request message from the client, wherein the service request message is used for requesting service access to the server; the server acquires a source Internet Protocol (IP) address of the service request message; the server performs access control based on the source IP address; and/or the server performs flow control based on the source IP address.
Optionally, the server performs access control based on the source IP address, including: the server determines whether the source IP address is matched with a preset illegal IP address; under the condition that the source IP address is matched with the illegal IP address, the server filters the service message request; or under the condition that the source IP address is not matched with the illegal IP address, the server continues to process the service message request.
Optionally, the server performs flow control based on the source IP address, including: the server determines whether the number of times of service access requests from the source IP address exceeds a preset threshold or not; under the condition that the frequency of service access requests from the source IP address exceeds a preset threshold, the server filters the service access requests; or under the condition that the number of times of the service access requests from the source IP address does not exceed the preset threshold, the server continues to process the service access requests.
Optionally, the server continues to process the service access request, including: the server decrypts the service request message based on the symmetric key; the server generates an encrypted service response message based on the service request message and the symmetric key, wherein the service response message is a response message aiming at the service request message; and the server sends the encrypted service response message to the client.
Optionally, after the server receives a request for obtaining the public key from the client, the method further includes: the server acquires the public and private key pair from a cache; and the server responds to a request for obtaining a public key from the client to generate the public and private key pair under the condition that the public and private key pair is not obtained from the cache.
Optionally, the public-private key pair is stored in a cache of the server, and a validity period of the public-private key pair is a predefined value.
Optionally, the symmetric key is a key generated based on a cryptographic algorithm SM4, and the public and private key pair is a key generated based on an RSA algorithm.
In a second aspect, the present application provides a method for securing a session, the method comprising: a client sends a request for obtaining a public key to a server; the client receives the public key from the server, wherein the public key is from a public and private key pair generated by the server; the client generates a symmetric key based on a session with the server, wherein the symmetric key is used for encrypting and decrypting one or more messages in the session; the client encrypts the generated symmetric key based on the public key to obtain an encrypted key; and the client sends the encryption key to the server.
Optionally, the method further comprises: the client encrypts a service request message based on the symmetric key to obtain an encrypted service request message; the client sends the encrypted service request message to the server; the client receives an encrypted service response message from the server, wherein the service response message is a response message aiming at the service request message; and the client decrypts the service response message based on the symmetric key to obtain the service response message.
Optionally, the symmetric key is a key generated based on a cryptographic algorithm SM4, and the public and private key pair is a key generated based on an RSA algorithm.
Based on the above scheme, before a session is performed between a client and a server, a symmetric key for encrypting and decrypting service data in the session may be negotiated based on a pair of public and private keys. And, the symmetric key can be generated based on the session, and can be used for encryption and decryption of the service data in the session, without negotiating a key between the two parties before each service data transmission. Therefore, in the data transmission process, the data transmission device is fast, portable and safe, and is beneficial to improving the data transmission efficiency and improving the user experience.
In a third aspect, an apparatus for a secure session is provided, which includes means or units for implementing the method for a secure session described in any of the first and second aspects and the first and second aspects. It should be understood that the respective modules or units may implement the respective functions by executing the computer program.
In a fourth aspect, a chip system is provided, which comprises at least one processor configured to support the implementation of the functions referred to in the first and second aspects and any possible implementation manner of the first and second aspects, for example, to receive or process data and/or information referred to in the above methods.
In a fifth aspect, an apparatus for securing a session is provided, which includes a processor configured to perform the method for securing a session in any one of the first and second aspects and the first and second aspects.
The apparatus may also include a memory to store instructions and data. The memory is coupled to the processor, and the processor, when executing the instructions stored in the memory, may implement the methods described above and in the second aspect as well as in the first and second aspects. The apparatus may also include a communication interface for the apparatus to communicate with other devices, which may be, for example, a transceiver, circuit, bus, module, or other type of communication interface.
A sixth aspect provides a computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to carry out the method of any one of the first and second aspects and the first and second aspects.
In a seventh aspect, a computer program product is provided, the computer program product comprising: a computer program (which may also be referred to as code, or instructions), which when executed, causes a computer to perform the method of any of the first and second aspects and the first and second aspects.
It should be understood that the third to seventh aspects of the present application correspond to the technical solutions of the first and second aspects of the present application, and the advantageous effects obtained by the various aspects and the corresponding possible implementations are similar and will not be described again.
Drawings
Fig. 1 is a schematic flow chart of the SM4 algorithm provided by an embodiment of the present application;
FIG. 2 is a schematic flow chart of an RSA algorithm provided by an embodiment of the present application;
fig. 3 is a schematic architecture diagram of an application scenario applicable to a method of secure session provided in an embodiment of the present application;
FIG. 4 is a schematic flow chart diagram of a method for secure sessions provided by an embodiment of the present application;
FIG. 5 is a schematic flow chart diagram of another method for securing a session provided by an embodiment of the present application;
FIG. 6 is a schematic flow chart diagram for access control to a request provided by an embodiment of the present application;
FIG. 7 is a schematic flow chart diagram for flow control of requests provided by an embodiment of the present application;
FIG. 8 is a schematic block diagram of an apparatus for secure sessions provided by an embodiment of the present application;
FIG. 9 is another schematic block diagram of an apparatus for secure sessions provided by embodiments of the present application;
FIG. 10 is a schematic block diagram of an apparatus for another secure session provided by an embodiment of the present application;
fig. 11 is another schematic block diagram of an apparatus for another secure session provided by an embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
For ease of understanding, some terms referred to in the present application are first explained.
Session (session): the term computer-related term, session, refers to the time interval between an end user communicating with an interactive system, and generally refers to the time elapsed between the time the end user registers in the system and the time the end user logs out of the system. That is, one Session represents the time interval during which one end user communicates with the server, with different end users having different sessions with the server.
In the embodiment of the application, a symmetric key is generated correspondingly when a Session exists in the system, and the symmetric key can be used for being stored in a Session object. That is, each client establishes a connection with the server to generate a session, and then generates a symmetric key of its own.
Symmetric key encryption: symmetric key encryption is also called private key encryption or shared key encryption, i.e. both parties sending and receiving data must use the same key to encrypt and decrypt the plaintext.
For ease of understanding, the embodiment of the present application shows a symmetric key encryption algorithm, i.e., the SM4 algorithm. The SM4 algorithm is known as the SM4 group cipher algorithm and is a cipher industry standard published in bulletin No. 23 issued by the national cipher authority in 3 months of 2012. The SM4 algorithm is a block symmetric key algorithm, plaintext, key and ciphertext are all 16 bytes, and encryption and decryption keys are the same. Both the encryption algorithm and the key expansion algorithm adopt 32-round nonlinear iteration structures. The decryption process is similar in structure to the encryption process except that the round keys are used in the reverse order.
The SM4 algorithm considers both plaintext and ciphertext into 4 32-bit words, that is, the plaintext is
Figure BDA0003139034870000051
The ciphertext is
Figure BDA0003139034870000052
The round key is
Figure BDA0003139034870000053
The SM4 algorithm cryptographically transforms to:
Figure BDA0003139034870000054
(Y0,Y1,Y2,Y3)=R(X32,X33,X34,X35)=(X35,X34,X33,X32)。
for the transformation T, reference may be made to the prior art, and details are not described herein for brevity.
The decryption transformation of the SM4 algorithm is the same structure as the encryption transformation, except for the order of use of the round keys.
The use sequence of the round keys in encryption is as follows: (rk)0,rk1,…rk31) (ii) a The use sequence of the round keys in decryption is as follows: (rk)31,rk30,…rk0)。
The round key is generated from an encryption key, where the encryption key is 128 bits in length, which may be expressed as MK ═ MK (MK)0,MK1,MK2,MK3) Wherein
Figure BDA0003139034870000055
For the specific generation process of the round key, reference may be made to the prior art, and details are not described herein for brevity.
For convenience of understanding, a schematic flow chart of the SM4 algorithm is given in the embodiments of the present application, and as shown in fig. 1, a round key is obtained by performing key expansion on a 128-bit encryption key, a 128-bit cipher text is obtained by performing round function transformation on the round key and a 128-bit plaintext, and a plaintext is obtained by performing 32 iterations on the 128-bit cipher text.
The symmetric key encryption method is adopted for encryption, a sender and a receiver must acquire and store a key in a secure manner, and the security of the key must be ensured. Symmetric key encryption has the advantage of fast encryption/decryption speed, is suitable for encrypting large data volumes, but has difficult key management. Therefore, in the actual application process, the symmetric key can be used for encrypting actual data, and other types of keys can be used for encrypting the symmetric key, so as to ensure the security of the symmetric key. Wherein the other type of key may be, for example, an asymmetric key.
Asymmetric key encryption algorithm: asymmetric encryption algorithms require two keys: a public key (public key for short) and a private key (private key for short). The public key and the private key are a pair, and if data is encrypted by the public key, the data can be decrypted only by the corresponding private key. This algorithm is called asymmetric encryption algorithm because two different keys are used for encryption and decryption.
The algorithm of the asymmetric encryption algorithm is complex, the calculation speed is low, and the safety is high. Therefore, in practical application, the asymmetric key encryption method and the symmetric key method can be combined to complete the encryption process. The symmetric key is encrypted by adopting an asymmetric encryption algorithm, so that the safety of the symmetric key is ensured, and then the data is encrypted by adopting the symmetric key, so that the speed of data encryption and decryption is improved.
For ease of understanding, the embodiment of the present application shows a schematic flow chart of an RSA algorithm as an asymmetric key encryption algorithm. Among these, the RSA encryption algorithm was proposed in 1977 by the three people Ron Rivest, Adi Shamir, and Leonard Adleman, together, under the initials of the names of the three people.
As shown in fig. 2, the RSA algorithm includes steps 210 to 260, and the steps 210 to 260 are described in detail below.
In step 210, two different large prime numbers p and q of 512-.
It should be understood that these two large prime numbers are chosen for later calculation of the encryption and decryption keys.
In step 220, the product n of p and q is calculated, n ═ p × q.
In step 230, the euler function Φ (n) — (p-1) × (q-1) for n is calculated.
In step 240, a large integer e is arbitrarily selected and used as the encryption key, where e is required to satisfy gcd (e, Φ (n)) -1.
Wherein, gcd is the greatest common divisor (gcd).
In step 250, the decryption key d is solved according to (d × e) mod (Φ (n)) ═ 1.
Where mod represents the remainder.
In step 260, according to C ═ Me(modn) encrypts the plaintext M into ciphertext C, according to which M equals Cd(modn) decrypts the ciphertext C into plaintext M.
As can be seen from fig. 2, the selection of p and q, the selection of e and the calculation of d in the RSA algorithm, and the calculation of encryption and decryption all involve large number operations. The process of generating prime numbers is complicated, and the process of performing prime number detection on the generated large prime numbers is also complicated. The encryption and decryption process involves a large number of modular exponentiations, the modular exponentiations are high in complexity and comprise division, and one division operation consists of multiple subtraction and multiplication, so that the RSA calculation speed is relatively low, and meanwhile, the algorithm is realized on hardware with high cost, but the security is higher than that of a symmetric encryption algorithm.
It should be understood that the above outlines the contents of the RSA algorithm, which is an asymmetric encryption algorithm, and has the characteristics of complex calculation process, high security, and lower efficiency than the symmetric algorithm.
In order to facilitate understanding of the embodiments of the present application, a brief description is provided below for an architecture applicable to an application scenario provided by the embodiments of the present application. Fig. 3 is a schematic architecture diagram of an application scenario applicable to the method for secure session provided in the embodiment of the present application. As shown in fig. 3, the architecture 300 may include: a server 310 and a client 320. The server 310 and the client 320 may communicate with each other. Server 310 may be used to implement encryption and decryption, traffic processing, flow control, access control, and other functions. In this embodiment, the server 310 may be configured to perform access control and flow control on an access request, generate a public-private key pair, decrypt an encryption key from a client, encrypt and decrypt a packet using a symmetric key, and perform service logic processing according to the packet. The client 320 may be configured to perform functions such as encryption, decryption, and display, and in this embodiment, the client may be configured to generate a symmetric key, encrypt the symmetric key with a public key, decrypt a response packet with the symmetric key, and display the response packet.
It should be understood that the architecture shown in fig. 3 is only an example, and should not be construed as limiting the present application in any way. For example, in other possible designs, server 310 and client 320 may be integrated, and the present application is not limited thereto.
The following describes the embodiment in terms of a process in which the server 310 and the client 320 interact for ease of understanding and explanation. A system comprising a server and a client may be considered as an execution subject, but this should not be construed as limiting the application in any way. The method provided by the embodiment of the present application may be an execution subject as long as the method can be executed by running a code or a program recorded with the method provided by the embodiment of the present application.
It should be understood that, when the client and the server are in a session state, for the security of data, an encryption method needs to be used to encrypt the data, that is, a message needs to be encrypted, as described above, since the symmetric key has a fast encryption/decryption speed and is suitable for encrypting a large amount of data, specific data such as a message may be encrypted by using the symmetric key, and for ensuring the security of the symmetric key to ensure the security of transmitted message data, the symmetric key may be encrypted by using an asymmetric encryption algorithm.
One possible implementation is: after a client and a server are connected to form a session, when the client sends request data to the server, a symmetric key is adopted to encrypt the request data, when the server receives the request data from the client and processes the request data to obtain response data, and when the server sends the response data to the client, another symmetric key is adopted to encrypt the response data. Therefore, the client and the server need a symmetric key to encrypt and decrypt data and a pair of public and private keys to encrypt and decrypt the symmetric key respectively in the whole session process.
For ease of understanding, fig. 4 shows a schematic flow chart of one possible implementation 400, the method 400 includes steps 401 to 414, steps 401 to 404 show the process of exchanging public keys between the client and the server, steps 405 to 407 show the process of encrypting the local symmetric key by the client using the peer public key and encrypting the service request message by using the local symmetric key, steps 408 and 409 show the process of decrypting the peer symmetric key by the server using the local private key, and a process of decrypting the service request message by using the opposite-end symmetric key, where steps 410 to 412 show a process in which the server encrypts the local symmetric key by using the opposite-end public key and encrypts the service response message by using the local symmetric key, and steps 413 to 414 show a process in which the client decrypts to obtain the service response message, and the following description is provided for each step.
In step 401, the client generates a first public-private key pair.
And the first public and private key pair comprises a first public key and a first private key.
In step 402, the client sends the first public key to the server.
In step 403, the server generates a second public-private key pair.
And the second public and private key pair comprises a second public key and a second private key.
In step 404, the server sends the second public key to the server.
In step 405, the client generates a first symmetric key.
In step 406, the client encrypts the first symmetric key using the second public key from the server to obtain a first symmetric key ciphertext, and encrypts the service request packet using the first symmetric key.
In step 407, the client sends the encrypted service request packet and the first symmetric key ciphertext to the server.
In step 408, the server decrypts the first symmetric key ciphertext using the second private key to obtain the first symmetric key.
In step 409, the server decrypts the service request message using the first symmetric key and performs subsequent service processing.
In step 410, the server generates a second symmetric key.
In step 411, the server encrypts the second symmetric key using the first public key to obtain a second symmetric key ciphertext, and encrypts the service response packet using the second symmetric key.
In step 412, the server sends the encrypted service response message and the second symmetric key ciphertext to the client.
In step 413, the client decrypts the second symmetric key ciphertext using the first private key to obtain the second symmetric key.
In step 414, the client decrypts the response message using the second symmetric key.
Based on the steps, in a session process, a server and a client respectively generate a pair of public and private keys and a symmetric key, a public key from an opposite end is used for encrypting the locally generated symmetric key, the locally generated symmetric key is used for encrypting local service data and sending the encrypted data to the opposite end, the opposite end adopts a private key for decryption to obtain the symmetric key from the opposite end, and the symmetric key from the opposite end is used for completing decryption of the service data.
Based on this, the application provides a method for secure session, which improves the efficiency of data transmission on the premise of ensuring the secure transmission of data in the session process.
The method for secure session provided by the embodiment of the present application will be described in detail below with reference to the accompanying drawings. Fig. 5 is a schematic flow chart diagram of a method 500 for secure sessions provided by an embodiment of the present application. The method 500 includes steps 501 to 513, where steps 501 to 503 are mainly a process in which a client and a server share to obtain a public-private key pair, steps 504 to 507 are a process in which a client and a server share to obtain a symmetric key, and steps 508 to 513 are a specific process in which service data is transmitted between the client and the server. Mainly steps 501 to 513 are described in detail below.
In step 501, the client sends a request to the server to obtain a public key.
The operation of the server side corresponding to the step is that the server receives a request for obtaining the public key from the client side.
After the server receives a request for obtaining the public key from the client, the server can obtain the public and private key pair from the cache. One possible scenario is: if there is a pair of public and private keys in the cache of the server, the server can directly obtain the pair of public and private keys from the cache, and further, step 503 can be directly performed. Another possible scenario is: if a public-private key pair does not exist in the server's cache, method 500 may optionally further include step 502.
In step 502, the server generates a public-private key pair in response to a request from a client to obtain a public key.
One possible implementation is: and generating a pair of public and private keys based on a preset asymmetric encryption algorithm, wherein the generated public and private key pair can be stored in a cache of the server, and the validity period of the public and private key pair is a predefined value. The public-private key pair may be, for example, an RSA2048 public-private key pair, the cache of the server may be, for example, a remote dictionary server (Redis), and the validity period of the predefined public-private key pair may be, for example, 24 hours.
It should be understood that the validity period of the public and private key pair is mainly set to ensure the security of data in the session process, and if the public and private key pair is unchanged for a long time, the risk that the private key is disclosed is increased, so that the risk that the symmetric key is also disclosed is caused, and the risk that the transmitted service data is exposed is increased. Therefore, the limited period of the public and private key pair is set to be a certain time length, which is beneficial to ensuring the security of data in the session process.
In step 503, the server sends the public key to the client. Wherein the public key is from a public-private key pair generated by the server.
In step 504, the client generates a symmetric key based on the session with the server.
The symmetric key is used for encrypting and decrypting one or more messages in the session, and may be, for example, a key generated based on the SM4 algorithm.
In step 505, the client encrypts the symmetric key using the public key to obtain an encrypted key.
In step 506, the client sends the encryption key to the server.
In step 507, the server decrypts the encryption key based on the private key in the public-private key pair to obtain a symmetric key.
In step 508, the client sends the encrypted service request message to the server.
Corresponding to the step, the operation of the server is that the server receives the encrypted service request message from the client.
The service request message is used for requesting service access to the server.
Optionally, the method 500 may further include step 509 and step 510.
In step 509, the server obtains the source IP address of the service request packet.
In step 510, the server performs access control and/or flow control based on the source IP address.
Specifically, the process of the server performing access control based on the source IP address is as follows: the server determines whether the source IP address of the current service request message is matched with a preset illegal IP address, and filters the service message request under the condition that the source IP address of the current service request message is matched with the illegal IP address; or under the condition that the source IP address of the current service request message is not matched with the illegal IP address, the server continues to process the current service request. The specific flow can refer to fig. 6.
The process of processing the current service request may specifically refer to steps 511 to 513 below, and will not be described in detail here.
The server performs the flow control process based on the source IP address of the current service request packet specifically as follows: firstly, the server determines whether the number of times of service access requests of a source IP address from a current service request message exceeds a preset threshold, wherein the number of times of the service access requests of the source IP address can be obtained by reading an access request number value initiated by the IP recorded in Redis. Secondly, under the condition that the frequency of service access requests from the source IP address of the current service request message exceeds a preset threshold, the server filters the service access requests; or under the condition that the number of times of service access requests from the source IP address of the current service request packet does not exceed the preset threshold, the server may record the number of times of the current IP access requests in the Redis and continue to process the current service access requests. The specific flow can refer to fig. 7.
Specifically, the process of processing the current service access request includes steps 511 to 513, and the steps 511 to 513 will be described in detail below.
In step 511, the server decrypts the service request message based on the symmetric key.
In step 512, the server generates an encrypted service response message based on the service request message and the symmetric key.
The service response message is a response message for the service request message.
In step 513, the server sends the encrypted service response message to the client.
Based on the above scheme, before a session is performed between a client and a server, a symmetric key for encrypting and decrypting service data in the session may be negotiated based on a pair of public and private keys. And a pair of public and private keys and a symmetric key do not need to be generated respectively, and then the generated symmetric keys are encrypted by the public key of the opposite side and then transmitted to the opposite side. And the symmetric key can be generated based on the session and can be used for encrypting and decrypting the service data in the session without negotiating a key between the two parties before each service data transmission. Therefore, in the data transmission process, the data transmission device is fast, portable and safe, and is beneficial to improving the data transmission efficiency and improving the user experience.
In addition, after receiving the encrypted service request message from the client, the server can perform access control on the IP address of the service request message source and/or perform flow control until illegal and malicious access requests are intercepted, thereby further increasing the security, the rapidness and the portability of the session.
Fig. 8 is a schematic block diagram of an apparatus for secure sessions provided in an embodiment of the present application. As shown in fig. 8, the apparatus 800 may include: encryption and decryption module 810, service processing module 820, access control module 830 and flow control module 840. The encryption and decryption module 810 may be configured to receive a request for obtaining a public key from a client; sending the public key to the client, the public key being from a public-private key pair generated by device 800; receiving an encryption key from the client, the encryption key being a key obtained by encrypting a symmetric key based on the public key, the symmetric key being generated based on a session of the client with the device 800 for encryption and decryption of one or more messages in the session; and decrypting the encryption key based on a private key in the public and private key pair to obtain the symmetric key.
Optionally, the service processing module 820 may be configured to receive an encrypted service request packet from the client, where the service request packet is used to request service access to the apparatus 800; the access control module 830 may be configured to obtain a source internet protocol IP address of the service request packet; performing access control based on the source IP address; the flow control module 840 may be configured to perform flow control based on the source IP address.
Optionally, the access control module 830 may be further configured to determine whether the source IP address matches a preset illegal IP address; filtering the service message request under the condition that the source IP address is matched with the illegal IP address; or under the condition that the source IP address is not matched with the illegal IP address, the encryption and decryption module 810 continues to process the service message request.
Optionally, the flow control module 840 may be further configured to determine whether the number of service access requests from the source IP address exceeds a preset threshold; filtering the service access request under the condition that the frequency of the service access request from the source IP address exceeds a preset threshold; or under the condition that the number of times of the service access requests from the source IP address does not exceed the preset threshold, the encryption and decryption module 810 continues to process the service access requests.
Optionally, the encryption and decryption module 810 may be further configured to decrypt the service request packet based on the symmetric key; generating an encrypted service response message based on the service request message and the symmetric key, wherein the service response message is a response message aiming at the service request message; and sending the encrypted service response message to the client.
Optionally, the encryption and decryption module 810 is further configured to obtain the public-private key pair from a cache; generating the public-private key pair in response to a request from the client to obtain a public key in the event that the public-private key pair is not obtained from the cache.
Fig. 9 is another schematic block diagram of an apparatus for secure sessions provided by an embodiment of the present application. The device can be used for realizing the functions of the device for the secure session in the method. Wherein the apparatus may be a system-on-a-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
As shown in fig. 9, the apparatus 900 may include at least one processor 910 for implementing the functions of the apparatus for securing a session in the method provided by the embodiment of the present application. Illustratively, the processor 910 may be configured to receive a request from a client to obtain a public key; sending the public key to the client, the public key being from a public-private key pair generated by device 900; receiving an encryption key from the client, the encryption key being a key obtained by encrypting a symmetric key based on the public key, the symmetric key being generated based on a session of the client with the device 900 for encryption and decryption of one or more messages in the session; and decrypting the encryption key based on a private key in the public and private key pair to obtain the symmetric key.
The apparatus 900 may also include at least one memory 920 for storing program instructions and/or data. The memory 920 is coupled to the processor 910. The coupling in the embodiments of the present application is an indirect coupling or a communication connection between devices, units or modules, and may be an electrical, mechanical or other form for information interaction between the devices, units or modules. The processor 910 may operate in conjunction with the memory 920. Processor 910 may execute program instructions stored in memory 920. At least one of the at least one memory may be included in the processor.
The apparatus 900 may also include a communication interface 930 for communicating with other devices over a transmission medium such that the apparatus used in the apparatus 900 may communicate with other devices. Illustratively, the communication interface 930 may be, for example, a transceiver, an interface, a bus, a circuit, or a device capable of performing a transceiving function. Processor 910 may utilize communication interface 930 to send and receive data and/or information and to implement the methods performed by the apparatus for secure sessions described in any of the embodiments of fig. 4-7.
The specific connection medium between the processor 910, the memory 920 and the communication interface 930 is not limited in the embodiments of the present application. In fig. 9, the processor 910, the memory 920 and the communication interface 930 are connected via a bus 940. The bus 940 is shown in fig. 9 by a thick line, and the connection between other components is merely illustrative and not intended to be limiting. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
Fig. 10 is a schematic block diagram of an apparatus for another secure session provided in an embodiment of the present application. As shown in fig. 10, the apparatus 1000 may include: a transceiver module 1010 and an encryption/decryption module 1020. The transceiver module 1010 may be configured to send a request for obtaining a public key to a server; receiving the public key from the server, the public key being from a public-private key pair generated by the server; the encryption and decryption module 1020 may be configured to generate a symmetric key based on a session with the server, where the symmetric key is used for encryption and decryption of one or more packets in the session; encrypting the generated symmetric key based on the public key to obtain an encrypted key; the transceiver module 1010 may also be configured to send the encryption key to the server.
Optionally, the encryption and decryption module 1020 may be further configured to encrypt the service request packet based on the symmetric key to obtain an encrypted service request packet; the transceiver module 1010 is further configured to send the encrypted service request packet to the server; receiving an encrypted service response message from the server, wherein the service response message is a response message aiming at the service request message; the encryption and decryption module 1020 may be further configured to decrypt the service response packet based on the symmetric key to obtain the service response packet.
Fig. 11 is another schematic block diagram of an apparatus for another secure session provided by an embodiment of the present application. The device can be used for realizing the functions of the device for the secure session in the method. Wherein the apparatus may be a system-on-a-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
As shown in fig. 11, the apparatus 1100 may include at least one processor 1110 for implementing the functions of the apparatus for securing a session in the method provided by the embodiment of the present application. Illustratively, the processor 1110 is operable to send a request to a server to obtain a public key; receiving the public key from the server, the public key being from a public-private key pair generated by the server; generating a symmetric key based on a session with the server, the symmetric key being used for encryption and decryption of one or more messages in the session; encrypting the generated symmetric key based on the public key to obtain an encrypted key; sending the encryption key to the server.
The apparatus 1100 may also include at least one memory 1120 for storing program instructions and/or data. The memory 1120 is coupled to the processor 1110. The coupling in the embodiments of the present application is an indirect coupling or a communication connection between devices, units or modules, and may be an electrical, mechanical or other form for information interaction between the devices, units or modules. The processor 1110 may operate in conjunction with the memory 1120. Processor 1110 may execute program instructions stored in memory 1120. At least one of the at least one memory may be included in the processor.
The apparatus 1100 may also include a communication interface 1130 for communicating with other devices over a transmission medium such that the apparatus used in the apparatus 1100 may communicate with other devices. Illustratively, the communication interface 1130 may be, for example, a transceiver, an interface, a bus, a circuit, or a device capable of performing a transceiving function. Processor 1110 may utilize communications interface 1130 to send and receive data and/or information and may be used to implement the methods performed by the apparatus for secure sessions described in any of the embodiments of fig. 4-7.
The specific connection medium among the processor 1110, the memory 1120, and the communication interface 1130 is not limited in the embodiments of the present application. In fig. 10, the processor 1110, the memory 1120, and the communication interface 1130 are connected by a bus 1140. The bus 1140 is shown in fig. 11 by a thick line, and the connection between other components is merely illustrative and not intended to be limiting. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 11, but this is not intended to represent only one bus or type of bus.
It should be understood that the division of the modules in the embodiments of the present application is illustrative, and is only one logical function division, and there may be other division manners in actual implementation. In addition, functional modules in the embodiments of the present application may be integrated into one processor, may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The present application further provides a computer program product, the computer program product comprising: a computer program (also referred to as code, or instructions), which when executed, causes a computer to perform the method performed by a client or the method performed by a server in any of the embodiments of fig. 4-7.
The present application also provides a computer-readable storage medium having stored thereon a computer program (also referred to as code, or instructions). When executed, cause a computer to perform the method performed by the client or the method performed by the server in any of the embodiments of fig. 4-7.
It should be understood that the processor in the embodiments of the present application may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
It will also be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
As used in this specification, the terms "unit," "module," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution.
Those of ordinary skill in the art will appreciate that the various illustrative logical blocks and steps (step) described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, device and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
In the above embodiments, the functions of the functional units may be fully or partially implemented by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions (programs). The procedures or functions described in accordance with the embodiments of the present application are generated in whole or in part when the computer program instructions (programs) are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

1. A method of securing a session, comprising:
the server receives a request for obtaining a public key from a client;
the server sends the public key to the client, wherein the public key is from a public and private key pair generated by the server;
the server receives an encryption key from the client, wherein the encryption key is obtained by encrypting a symmetric key based on the public key, and the symmetric key is generated based on a session between the client and the server and is used for encrypting and decrypting one or more messages in the session;
and the server decrypts the encryption key based on a private key in the public and private key pair to obtain the symmetric key.
2. The method of claim 1, wherein the method further comprises:
the server receives an encrypted service request message from the client, wherein the service request message is used for requesting service access to the server;
the server acquires a source Internet Protocol (IP) address of the service request message;
the server performs access control based on the source IP address; and/or
And the server performs flow control based on the source IP address.
3. The method of claim 2, wherein the server performs access control based on the source IP address, comprising:
the server determines whether the source IP address is matched with a preset illegal IP address;
under the condition that the source IP address is matched with the illegal IP address, the server filters the service message request; or
And under the condition that the source IP address is not matched with the illegal IP address, the server continues to process the service message request.
4. The method of claim 2, wherein the server performs flow control based on the source IP address, comprising:
the server determines whether the number of times of service access requests from the source IP address exceeds a preset threshold or not;
under the condition that the frequency of service access requests from the source IP address exceeds a preset threshold, the server filters the service access requests; or
And under the condition that the frequency of the service access requests from the source IP address does not exceed the preset threshold, the server continues to process the service access requests.
5. The method of claim 3 or 4, wherein the server continues to process the service access request, comprising:
the server decrypts the service request message based on the symmetric key;
the server generates an encrypted service response message based on the service request message and the symmetric key, wherein the service response message is a response message aiming at the service request message;
and the server sends the encrypted service response message to the client.
6. The method of claim 1, wherein after the server receives a request from a client to obtain a public key, the method further comprises:
the server acquires the public and private key pair from a cache;
and the server responds to a request for obtaining a public key from the client to generate the public and private key pair under the condition that the public and private key pair is not obtained from the cache.
7. The method of claim 6, wherein the public-private key pair is stored in a cache of the server, and a validity period of the public-private key pair is a predefined value.
8. The method of claim 1, wherein the symmetric key is a key generated based on a cryptographic algorithm SM4, and the public-private key pair is a key generated based on an RSA algorithm.
9. A method of securing a session, comprising:
a client sends a request for obtaining a public key to a server;
the client receives the public key from the server, wherein the public key is from a public and private key pair generated by the server;
the client generates a symmetric key based on a session with the server, wherein the symmetric key is used for encrypting and decrypting one or more messages in the session;
the client encrypts the generated symmetric key based on the public key to obtain an encrypted key;
and the client sends the encryption key to the server.
10. The method of claim 9, wherein the method further comprises:
the client encrypts a service request message based on the symmetric key to obtain an encrypted service request message;
the client sends the encrypted service request message to the server;
the client receives an encrypted service response message from the server, wherein the service response message is a response message aiming at the service request message;
and the client decrypts the service response message based on the symmetric key to obtain the service response message.
11. The method according to claim 9 or 10, wherein the symmetric key is a key generated based on the cryptographic algorithm SM4, and the public-private key pair is a key generated based on the RSA algorithm.
12. An apparatus for securing a session, comprising means for implementing the method of any one of claims 1 to 11.
13. An apparatus for securing a session, comprising a processor and a memory; wherein the content of the first and second substances,
the memory for storing program code;
the processor, configured to call the program code stored in the memory, and execute the method of any one of claims 1 to 11.
14. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 11.
15. A computer program product, comprising a computer program which, when run by a computer, causes the computer to perform the method of any one of claims 1 to 11.
CN202110730273.1A 2021-06-29 2021-06-29 Method and device for secure session Active CN113411345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110730273.1A CN113411345B (en) 2021-06-29 2021-06-29 Method and device for secure session

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110730273.1A CN113411345B (en) 2021-06-29 2021-06-29 Method and device for secure session

Publications (2)

Publication Number Publication Date
CN113411345A true CN113411345A (en) 2021-09-17
CN113411345B CN113411345B (en) 2023-10-10

Family

ID=77680220

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110730273.1A Active CN113411345B (en) 2021-06-29 2021-06-29 Method and device for secure session

Country Status (1)

Country Link
CN (1) CN113411345B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114050932A (en) * 2021-11-10 2022-02-15 安徽健坤通信股份有限公司 Network security verification method and system for distributed system
CN114172719A (en) * 2021-12-03 2022-03-11 杭州安恒信息技术股份有限公司 Encryption and decryption method, device, equipment and computer readable storage medium
CN114338114A (en) * 2021-12-21 2022-04-12 中国农业银行股份有限公司 Intrusion detection method, device, equipment and storage medium
CN114389803A (en) * 2021-12-24 2022-04-22 奇安信科技集团股份有限公司 SPA key distribution method and device
CN114499836A (en) * 2021-12-29 2022-05-13 北京像素软件科技股份有限公司 Key management method, key management device, computer equipment and readable storage medium
CN115021992A (en) * 2022-05-27 2022-09-06 中国银行股份有限公司 Mobile phone bank fund data processing method and device based on block chain
WO2024060630A1 (en) * 2022-09-20 2024-03-28 京东科技信息技术有限公司 Data transmission management method, and data processing method and apparatus

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001976A (en) * 2012-12-28 2013-03-27 中国科学院计算机网络信息中心 Safe network information transmission method
CN103746993A (en) * 2014-01-07 2014-04-23 南京大学 Cloud storage data encryption method with client-controlled decryption private key and server-performed encryption and decryption
CN107026727A (en) * 2016-02-02 2017-08-08 阿里巴巴集团控股有限公司 A kind of methods, devices and systems for setting up communication between devices
CN108173644A (en) * 2017-12-04 2018-06-15 珠海格力电器股份有限公司 Data transfer encryption method, device, storage medium, equipment and server
CN111988299A (en) * 2020-08-14 2020-11-24 杭州视洞科技有限公司 Method for establishing trusted link between client and server
US20210144004A1 (en) * 2019-11-11 2021-05-13 International Business Machines Corporation Forward secrecy in Transport Layer Security (TLS) using ephemeral keys
CN112822015A (en) * 2020-12-30 2021-05-18 中国农业银行股份有限公司 Information transmission method and related device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001976A (en) * 2012-12-28 2013-03-27 中国科学院计算机网络信息中心 Safe network information transmission method
CN103746993A (en) * 2014-01-07 2014-04-23 南京大学 Cloud storage data encryption method with client-controlled decryption private key and server-performed encryption and decryption
CN107026727A (en) * 2016-02-02 2017-08-08 阿里巴巴集团控股有限公司 A kind of methods, devices and systems for setting up communication between devices
CN110176987A (en) * 2016-02-02 2019-08-27 阿里巴巴集团控股有限公司 A kind of method, apparatus, equipment and the computer storage medium of equipment certification
CN108173644A (en) * 2017-12-04 2018-06-15 珠海格力电器股份有限公司 Data transfer encryption method, device, storage medium, equipment and server
US20210144004A1 (en) * 2019-11-11 2021-05-13 International Business Machines Corporation Forward secrecy in Transport Layer Security (TLS) using ephemeral keys
CN111988299A (en) * 2020-08-14 2020-11-24 杭州视洞科技有限公司 Method for establishing trusted link between client and server
CN112822015A (en) * 2020-12-30 2021-05-18 中国农业银行股份有限公司 Information transmission method and related device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114050932A (en) * 2021-11-10 2022-02-15 安徽健坤通信股份有限公司 Network security verification method and system for distributed system
CN114172719A (en) * 2021-12-03 2022-03-11 杭州安恒信息技术股份有限公司 Encryption and decryption method, device, equipment and computer readable storage medium
CN114338114A (en) * 2021-12-21 2022-04-12 中国农业银行股份有限公司 Intrusion detection method, device, equipment and storage medium
CN114389803A (en) * 2021-12-24 2022-04-22 奇安信科技集团股份有限公司 SPA key distribution method and device
CN114499836A (en) * 2021-12-29 2022-05-13 北京像素软件科技股份有限公司 Key management method, key management device, computer equipment and readable storage medium
CN115021992A (en) * 2022-05-27 2022-09-06 中国银行股份有限公司 Mobile phone bank fund data processing method and device based on block chain
WO2024060630A1 (en) * 2022-09-20 2024-03-28 京东科技信息技术有限公司 Data transmission management method, and data processing method and apparatus

Also Published As

Publication number Publication date
CN113411345B (en) 2023-10-10

Similar Documents

Publication Publication Date Title
CN113411345B (en) Method and device for secure session
US10785019B2 (en) Data transmission method and apparatus
Kapoor et al. Elliptic curve cryptography
Orman The OAKLEY key determination protocol
CN109756329B (en) Anti-quantum computing shared key negotiation method and system based on private key pool
USRE40530E1 (en) Public key cryptographic apparatus and method
US8429408B2 (en) Masking the output of random number generators in key generation protocols
US10367637B2 (en) Modular exponentiation with transparent side channel attack countermeasures
KR100833828B1 (en) Method of authenticating anonymous users while reducing potential for ?middleman? fraud
US20130156188A1 (en) Proxy-based encryption method, proxy-based decryption method, network equipment, network device and system
CN111294203B (en) Information transmission method
JP6556955B2 (en) Communication terminal, server device, program
CN111555880A (en) Data collision method and device, storage medium and electronic equipment
JP6294882B2 (en) Key storage device, key storage method, and program thereof
Saeed et al. Improved cloud storage security of using three layers cryptography algorithms
CA2742530C (en) Masking the output of random number generators in key generation protocols
Panda et al. A modified PKM environment for the security enhancement of IEEE 802.16 e
CN109361506B (en) Information processing method
CN115883212A (en) Information processing method, device, electronic equipment and storage medium
JP5513255B2 (en) Proxy signature system and method
Orman RFC2412: The OAKLEY Key Determination Protocol
CN109905232B (en) Signature decryption method, system, equipment and computer readable storage medium
CN107483387A (en) A kind of method of controlling security and device
KR100401063B1 (en) the method and the system for passward based key change
JPH07118709B2 (en) Confidential information communication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant